password security
John Merrill
merrill at bucasb
Sat Dec 24 04:22:25 AEST 1988
In article <4469 at xenna.Encore.COM>, bzs at Encore (Barry Shein) writes:
>
>From: prh at actnyc.UUCP (Paul R. Haas)
>>In article <4444 at xenna.Encore.COM> bzs at Encore.COM (Barry Shein) writes:
>>>The average secretary I know is bright enough to understand rules like
>>>"use two short words with some upper-case letters and/or digits thrown
>>>in and separated by a punctuation, like "Hey!Jude" "FidoIS#1". Very
>>>hard to guess, very easy to remember, next...
>
>>Give a thousand secretaries that same set of instructions and you will
>>get far less than a thousand different passwords. Sort them in order
>>of frequency and try them all on whatever system you are trying to
>>crack. You certainly won't be able to break all the accounts, but you
>>will get a few.
>
>Is this based on *anything*? Or just a wild guess, sounds utterly
>baseless to me. You honestly think if I told 1000 people to:
>
> choose two short words separated by a punctuation character
> and mix some upper-lower case into the words
>
>I would frequently get the exact same result from different people?
Yes, Barry, you would. Why do I know this? Consider the following
modification of your paradigm:
choose an English word of at most eight characters, mixing
both upper and lower case in the word. You must be able to
recall this word easily---without writing the word down.
Guess what! There's a short list that covers the vast majority of
these words. This list is dominated by the hundred most common names
(in the local language), followed by a collection of folk names.
(For your test, I'd expect to see things like Frodo!Ba[ggins], at
least if the target audience was of CS nerds.)
Is the idea a bad one? No, not at all, if only because it might take
a while to extract the statistics of the process. But in the long
run, the two paradigms are probably equal.
More information about the Comp.unix.wizards
mailing list